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Preface 



The Department of Homeland Security (DHS) Office of Inspector General (OIG) was 
established by the Homeland Security Act of 2002 (Public Law 107-296) by amendment 
to the Inspector General Act of 1978. This is one of a series of audit, inspection, and 
special reports prepared as part of our oversight responsibilities to promote economy, 
efficiency, and effectiveness within the department. 

This report addresses the strengths and weaknesses of the department's management of 
the purchase card program. It is based on interviews with employees and officials of 
relevant agencies and institutions, direct observations, and a review of applicable 
documents. 

The recommendations herein have been developed to the best knowledge available to our 
office, and have been discussed in draft with those responsible for implementation. We 
trust this report will result in more effective, efficient, and economical operations. We 
express our appreciation to all of those who contributed to the preparation of this report. 




Anne L. Richards 

Assistant Inspector General for Audits 
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Executive Summary 

The Department of Homeland Security's purchase card program 
provides an efficient, low-cost procurement and payment 
mechanism to acquire goods and services. In fiscal year 2010, the 
department made about 1.2 million purchases valued at about 
$514 million for goods and services using purchase cards. 
Although purchase card use does reduce administrative 
procurement costs, the risk of inappropriate use can increase when 
effective internal controls are not in place. We performed this 
audit to determine whether DHS has internal controls in place to 
ensure that purchase cards are used for their intended purpose. 

The department generally had an effective internal control 
framework developed, but it needs to improve specific internal 
control procedures to mitigate the inherent risks associated with 
purchase card use. The department's post payment audit process 
did not ensure that component personnel were meeting minimum 
internal control requirements established by the Office of 
Management and Budget. Nor did the process effectively target 
high-risk transactions for review. Ninety-three percent of the 
purchase card transactions we reviewed did not fully comply with 
the Office of Management and Budget's requirements, and the 
department's purchase card manual and components' guidance 
were incomplete and inconsistent. As a result, the department 
cannot be sure that purchase cards are always used for their 
intended purpose. Based on our audit, the department's Office of 
the Chief Financial Officer has initiated corrective actions to 
improve internal controls over the purchase card program. 

We are making three recommendations that when implemented 
will improve the Department of Homeland Security's internal 
controls and oversight of its purchase card program. The Chief 
Financial Officer agreed with our recommendations and initiated 
corrective actions. 
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Background 

Purchase cards provide an efficient, low-cost procurement and 
payment mechanism that eliminates the need for paper purchase 
orders, expedites vendor payments, and provides an audit trail. 
Purchase cards are the preferred method to purchase goods and 
services under the micropurchase limit of $3,000. A component's 
Head of the Contracting Activity may also authorize purchases 
over the micropurchase limit. In fiscal year (FY) 2010, the 
Department of Homeland Security (DHS) authorized about 10,900 
employees to use purchase cards, and the cardholders made 
approximately 1.2 million purchases valued at about $514 million. 

Federal Acquisition Regulation Part 13, Simplified Acquisition 
Procedures, codifies the policies and procedures for using purchase 
cards to acquire supplies and services under the simplified 
acquisition threshold. Office of Management and Budget (OMB) 
Circular A- 123, Appendix B, Improving the Management of 
Government Charge Card Programs, provides guidance to 
agencies for maintaining internal controls that reduce the risk of 
fraud, waste, and error in purchase card programs. 

The department's Office of the Chief Financial Officer (OCFO) 
established the Bank Card Program Office to provide department- 
wide policy and oversight of the purchase card program. This 
program office issued the DHS Purchase Card Manual to establish 
purchase card policies and procedures. It also authorized certain 
components to maintain their own guidance and use the DHS 
manual as overarching policy. The department program 
coordinator is responsible for the centralized DHS online purchase 
card payment process. 

The program coordinator has direct responsibility for the 
department's purchase card program, while components' 
organizational program coordinators (also known as component 
coordinators) oversee the program within their organizations. The 
program coordinator monitors component compliance with 
departmental policies and procedures. The program coordinator 
tests the effectiveness of internal controls by monitoring 
transaction data provided by the bank and through the components' 
monthly post payment audit review submissions. Component 
coordinators oversee their approving officials. Approving officials 
are responsible for ensuring that purchases made by individual 
cardholders are in accordance with applicable regulations, policies, 
and procedures. 
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Although purchase cards provide an efficient method to purchase 
goods and services, fraudulent, improper, or abusive purchases are 
inherent risks in every purchase card program. Fraudulent 
purchases include purchases of goods or services that are 
unauthorized or acquired for personal use. Improper purchases 
include purchases of goods or services intended for government 
use but not permitted by law or regulation. Abusive purchases are 
purchases for authorized goods or services, but at terms that are 
excessive, are of questionable government need, or both. These 
inherent risks generally occur when there is insufficient adherence 
to internal control policies and procedures. 

Results of Audit 

DHS generally had an adequate framework for internal controls to manage its 
purchase card program. However, the department needs to improve its 
implementation of some internal controls to mitigate the inherent risks associated 
with purchase card use. The department needs to strengthen its post payment 
audit process to ensure that component personnel are complying with appropriate 
purchase card controls, and needs to ensure that the process identifies and tests 
high-risk transactions. Department personnel did not verify the results of 
component reviews and did not effectively target high-risk transactions for review. 
Of the transactions we reviewed, 93% did not comply with at least one of the 
internal control elements based on OMB requirements. Additionally, the 
department's Purchase Card Manual and components' guidance were incomplete 
and inconsistent. As a result, the department cannot be sure that purchase cards are 
always used for their intended purpose. In response to our audit, the DHS OCFO 
has initiated corrective actions to improve the internal controls over the purchase 
card program. 

DHS Post Payment Audit Review Program 

The Chief Financial Officer implemented the Post Payment Audit 
Procedures for Purchase Cards Program (post payment audit program) as a 
control to monitor purchase card use. Component coordinators are 
required to examine cardholders' transactions and supporting 
documentation, and then report the results of their reviews to the 
department program coordinator. However, department personnel did not 
independently verify the results of the reviews. Additionally, the post 
payment audit program did not target high-risk transactions. 

Supporting Documentation 

Under the post payment audit program, the program coordinator 
provides a randomly selected sample of purchase card transactions 
to each component coordinator to test the effectiveness of internal 
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controls. Cardholders are required to provide supporting 
documentation for the sampled transactions to the component 
coordinators to review and validate the transactions. Based on 
OMB Circular A- 123 guidance, the department developed 
requirements within the DHS Post Payment Audit Procedures for 
Purchase Card manual that appropriate supporting documentation 
should contain evidence to show the following: 

• Legitimate government need for the goods or service 

• Screening for required vendors 

• Independent receipt and acceptance 

• Establishment of accountability over property 

• Prior approval in writing 

• Documentation and invoice dates that match purchase dates 

• Disputes with the vendor handled promptly 

• Freight costs in excess of $100 supported by the carrier's 
invoice 

• Purchases that do not exceed the micropurchase threshold 

Component coordinators provide the results of their reviews, along 
with the supporting documentation, to the department's program 
coordinator. (See appendix C for a workflow of the post payment 
audit process.) 

We analyzed 75 of the 450 transactions in the department's post 
payment audit review covering July to November 2009 to evaluate 
the effectiveness of this internal control. We determined whether 
the transactions had adequate supporting documentation to meet 
OMB purchase card requirements. We found that 67 of the 75 
transactions (89%) did not comply with at least one of the internal 
control elements based on OMB requirements, as shown in table 1 . 



Table 1. Percentage of Transactions With Insufficient Documentation 



Component 


Total Transactions 
Reviewed per 
Component 


Transactions With 
Insufficient Supporting 
Documentation 


% 


CBP 


15 


15 


100% 


CIS 


15 


12 


80% 


ICE 


15 


13 


87% 


TSA 


15 


14 


93% 






13 


87% 






67 


89% 



(See appendix D for more detail.) 
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Customs and Border Protection (CBP), Citizenship and 
Immigration Services (CIS), and Transportation Security 
Administration (TSA) component coordinators originally reported 
that all of their transactions had supporting documentation and met 
OMB requirements. However, our review showed that 15 of 15, 
12 of 15, and 14 of 15 reports, respectively, did not meet OMB 
requirements. Immigration and Customs Enforcement (ICE) 
originally reported that 7 of its transactions did not have sufficient 
supporting documentation, but we determined that 13 of 15 did not 
meet OMB requirements. The U.S. Coast Guard (USCG) did not 
meet the reporting deadline for this post payment audit review 
period. When USCG provided the post payment audit reports, 13 
of the 15 transactions did not meet OMB requirements. 

The post payment audit review program was not an effective 
internal control to mitigate the inherent risks associated with 
purchase card use. OCFO personnel attributed this to the 
department program office not having sufficient resources to 
review the supporting documentation and validate the reports. 

Sampling Methodology 

Since February 2009, the department has been coordinating with a 
contractor to develop lists of purchase card transactions for review. 
The contractor has been using a random sampling methodology 
based on the Government Accountability Office (GAO) Financial 
Audit Manual Section 450 - Sampling Control Test (FAM 450). On 
a monthly basis, the contractor provided a list of 45 purchase card 
transactions from each major component's previous month's 
transactions to the program coordinator. However, these simplified 
random sampling techniques did not effectively target high-risk 
transactions for the post payment audit reviews. 

We reviewed four of the contractor's sampling methodologies used 
for randomly selecting the purchase card transactions for the post 
payment audit reviews. We compared the sampling techniques with 
GAO's FAM 450, and found that the sampling techniques did not 
provide sufficient guidance or documentation on sample selection. 
The post payment audit transactions selected for review did not 
address many of the control test requirements, and generally were 
low-risk, minimal-dollar-value transactions such as the following: 

• Make a car key in the amount of $5 . 1 7 

• FedEx Services in the amount of $6.83 

• Purchase a wireless door chime in the amount of $28.97 

• Purchase brown paper towels in the amount of $40. 1 
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Overall, using only simplified random sampling techniques to 
select purchase card transactions for audit limited the effectiveness 
of the post payment audit program. A more effective approach 
would be to add data mining techniques to target high-risk 
purchase card transactions. 

Data Mining 

Data mining is designed to identify potentially fraudulent, 
improper, and abusive purchase card transactions. Data mining 
searches the data to find transactions or patterns of activity that 
exhibit predetermined characteristics, associations, or anomalies 
between different pieces of information. 

The program coordinator's access to the bank vendor's purchase 
card data system allowed us to pull raw transaction data from July 
1, 2009, to May 1, 2010. We pulled data for CBP, CIS, ICE, TSA, 
and USCG, the five largest DHS components using purchase cards. 
The transaction purchase card data consisted of more than 900,000 
transactions valued at more than $392 million. Using data-mining 
techniques, we identified 70,503 potentially high-risk transactions 
valued at $29,594,948, including the following: 

• Potential split purchases to circumvent micropurchase or 
other single-purchase limits; 

• Blocked or recommended blocked Merchant Category 
Code (MCC) purchases for restricted goods or services; and 

• Purchases made outside normal business hours (weekends 
and holidays). 

(For more information on transaction definitions and the data- 
mining process, see appendixes E and F.) 

From these potentially high-risk transactions, we selected a 
judgmental sample based on purchased goods and services, 
cardholder locations, purchase times and dates, and transaction 
dollar amounts. We reviewed 201 transactions valued at more than 
$184,000 for purchases made by 21 cardholders assigned to five 
components in four different locations, as shown in table 2. 
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Table 2. Targeted High-Risk Purchase Card Transactions 



Locations 


Component 


Number of 

V tl I uuuiuci » 


Number of 

X 1 AW 3d C 1 


Dollar Totals 


Boston 


UbCG 


A 
4 


45 


$35,509.95 


Chicago 


Lib 


1 


16 


$9,738.15 


Chicago 




z 


1 / 




DC 


CBP 


4 


35 


$60,550.40 


DC 


ICE 


3 


15 


$31,732.47 


Miami 


CBP 


1 


10 


$4,830.49 


Miami 


USCG 


5 


63 


$38,128.61 


TOTALS 




21 


201 


$184,291.99 



We found that 187 of the 201 transactions (93%) did not comply 
with at least one of the internal control elements based on OMB 
requirements. For example: 



• Forty-two percent did not provide any evidence that funds 
were available prior to the purchases. 

• Sixty-nine percent did not provide any evidence that an 
independent third party signed for the merchandise or 
service upon delivery. 

• Thirty-two percent did not provide any evidence the 
component established any accountability over property 
purchased. 

• Forty-one percent did not provide any evidence of approval 
by the approving official. 

We identified three transactions valued in excess of $1,000 for 
items that component personnel could not account for or locate. 
The cardholder purchased these items at a store, took possession of 
the items, and transported the items. There was no evidence in the 
transaction file of independent receipt and acceptance by a third 
party. OMB Circular A- 123 specifically requires supporting 
documentation as evidence of independent receipt and acceptance 
of goods by someone other than the cardholder. 

We expanded our review of this cardholder's transactions and 
identified numerous additional questionable split purchase 
transactions designed to circumvent the simplified single-purchase 
acquisition threshold of $3,000. Federal Acquisition Regulations 
require that appropriate acquisition competition take place when 



Use of DHS Purchase Cards 



Page 7 



the proposed contract exceeds $3,000. We did not find evidence of 
approved waivers or required presolicitation notices. 

The department generally had effective internal controls in place to 
manage its purchase card program. However, the post payment 
audit process did not ensure that components were meeting OMB 's 
purchase card requirements. Department personnel did not verify 
the results of post payment audit reviews, and the program did not 
effectively target high-risk transactions for review. As a result, the 
department cannot be sure that purchase cards are always used for 
their intended purpose. 

DHS Manual and Component Guidance 

OMB Circular A- 123, Appendix B, Improving the Management of 
Government Charge Card Programs, established standard minimum 
requirements for government charge card programs that must be included 
in internal agency regulations, procedures, and training materials. Some 
components use the DHS Purchase Card Manual as their primary 
guidance, and DHS has authorized others to maintain their own guidance 
and use the DHS manual as overarching policy. However, the DHS 
manual and current components' guidance are inconsistent and do not 
address all OMB regulatory requirements. 

We compared OMB purchase card requirements with the DHS Purchase 
Card Manual, and found numerous requirements not addressed. For 
example, the DHS Purchase Card Manual did not require - 

• Program participants to certify that they have received purchase 
card training, understand the regulations and procedures, and know 
the consequences of inappropriate actions; 

• Purchase card managers to communicate the agency's policy on 
when referral to an agency OIG is appropriate or required; or 

• Purchase card managers to check the productivity and sales refund 
deals offered by charge card vendors in comparison with other 
government-wide charge card contracts to ensure a competitive 
offer. 

Many of the same OMB requirements were also missing from 
components' guidance. For example, various components' guidance did 
not communicate any policy on when referral for fraud to an agency OIG 
is appropriate or required. Specifically: 
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• CBP guidance requires referral only to Human Resources 
Management, Office of General Counsel, the cardholder's 
supervisor, and/or the organizational program coordinator. 

• CIS guidance requires referral only to the Chief of the Financial 
Management Division. 

• ICE guidance requires referral only to the organizational program 
coordinator, Human Resources, Office of General Counsel, and the 
cardholder's supervisor. 

• TSA guidance requires referral only to the organizational program 
coordinator. 

• USCG guidance does not address where employees are to refer 
allegations of purchase card fraud. 

OMB also requires that cardholders obtain approval from their approving 
official prior to making purchases. The DHS Purchase Card Manual was 
unclear on who should provide this prior approval. On one page, the 
manual required approval "by someone other than the purchase cardholder," 
but on another it required the cardholder to "receive written authorization 
from his/her Approving Official to make the prospective purchase." ICE's 
and USCG's guidance did not require prior approvals by an approving 
official before purchase. 

Cardholders generally obtained some form of written approval prior to 
making a purchase even though the DHS manual and component's 
guidance are unclear. However, our review of the 276 purchase card 
transactions found that someone other than a designated approving official 
approved 36%, and 5% had no approval. 

As a result of our audit, the department revised the DHS Purchase Card 
Manual on August 25, 2010, to include specific guidance requiring that 
"all DHS employees shall report suspected purchase card fraud or misuse 
to the Office of Inspector General." The department also clarified the 
manual to direct cardholders to "ensure written approval is obtained by 
their immediate supervisor and their Approving Official prior to incurring 
each purchase card transaction." However, since not all of the OMB 
requirements are addressed in either the DHS manual or components' 
guidance, the department cannot be sure that cardholders are aware of all 
purchase card requirements or that purchase cards are used for their 
intended purpose. 

Actions Taken by OCFO 

We discussed the results of our work with OCFO officials. As a result, 
OCFO has initiated the following corrective actions: 
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• Conducted a comprehensive review of the DHS Purchase Card 
Manual, comparing it with OMB Circular A- 123, Appendix B, to 
identify areas for improvement, gaps in current processes, and 
deficiencies that may allow improper use of a government 
purchase card to take place; 

• Conducted a comprehensive review of eight component purchase 
card policy manuals, comparing each with the DHS Purchase Card 
Manual to identify areas for improvement, gaps in current 
processes, and deficiencies that may allow improper use of a 
government purchase card to take place; 

• Conducted a comprehensive review of selected component 
purchase card transactions to determine adherence to federal and 
DHS policy and detect instances of improper use of a government 
charge card; and 

• Used data mining techniques to identify questionable purchase 
card transactions, and required components to verify and validate 
each identified transaction. 

OCFO stated that the steps taken above have enabled it to update purchase 
card policies and create Mission Action Plans to resolve identified 
deficiencies. OCFO intends to issue a final report containing details of the 
reviews, along with considerations for improving each manual, to 
components. 

OCFO plans to establish a Bank Card Assessment Team to implement and 
monitor sustainable management controls covering the government charge 
card program. OCFO states that the Bank Card Assessment Team will 
serve as the oversight body for the department's Bank Card Program and 
will - 

• Develop guidance for components to implement, assess, report, 
and monitor management controls surrounding travel, purchase, 
and fleet cards. 

• Perform post payment audits of randomly selected component 
transactions and report findings to the DHS Chief Financial Officer. 

• Provide government charge card training to the DHS community. 

• Provide oversight for determining the level, effort, and resources 
needed for efficiently managing the department' Bank Card 
Program. 

• Brief the Senior Management Council, Chief Financial Officer, 
Senior Assessment Team, and other DHS senior leadership on 
various bank card topics. 

Also, OCFO states that it will continue to conduct quality assurance 
sampling for each post payment audit review. This will include drafting a 
formal quality assurance plan and revised post payment audit standard 
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operating procedures. OCFO will also continue to use data mining to 
improve the review of transaction samples via its post payment audit 
process. OCFO plans to draft a data mining plan that incorporates OIG's 
data mining techniques to strengthen processes currently in place. 

Recommendations 

We recommend that the DHS Office of the Chief Financial Officer: 

Recommendation #1 : Review post payment audit review 
transactions and verify that all reports and their supporting 
documentation are valid and sufficient. 

Recommendation #2 : Develop data mining techniques to target 
high-risk transactions for the post payment audit review program. 

Recommendation #3 : Update the DHS Purchase Card Manual to 
address all OMB Circular A- 123 purchase card requirements, and 
direct all components to similarly update their guidance. 



Management Comments and OIG Analysis 

The Deputy Chief Financial Officer (DCFO) provided comments on a 
draft of this report. A copy of the comments in their entirety is included in 
appendix B. 

The DCFO took exception to our discussion of the post payment audit 
methodology and stated that OCFO, not contractors, is responsible for 
developing the lists of purchase card transactions for review. We 
recognize that OCFO is responsible for developing the list of purchase card 
transactions for review. However, OCFO used contractors to apply 
sampling techniques to develop the lists of purchase card transactions. 

The DCFO also stated that our report oversimplifies the department's 
sampling methodology. We recognize that OCFO is applying GAO's 
FAM 450 sampling methodology. However, these simplified random 
sampling techniques did not effectively target high-risk transactions in the 
purchase card program. 

The DCFO concurred with all three recommendations in this report. 

Management Comments to Recommendation #1 

The DCFO concurred with this recommendation, agreeing that it is 
imperative to ensure that payments are valid and sufficient. The 
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DCFO indicated that it made several changes to the purchase card 
program. Using the 27-attribute checklist requirements as a guide, 
the DCFO stated that it developed and delivered training to 
components to reinforce documentation retention, signature 
approval, and internal controls compliance for the purchase card 
transactions. The DCFO indicated that it also added an additional 
review requirement to the post-payment audit process. 

OIG Analysis: The DCFO's actions are responsive to the 
recommendation. The recommendation is resolved, but will 
remain open until the DCFO provides - 

• The December 20 1 training developed and delivered to 
components based on the 27-attribute checklist requirement. 

• The March 201 1 revised post-payment audit standard 
operating procedure that includes the 27-attribute checklist, 
the Purchase Card Transaction Worksheet, and the second- 
level review requirements which also clarifies transaction 
approval authority. 

Management Comments to Recommendation #2 

The DCFO concurred with this recommendation, noting that it has 
piloted its first review of high-risk transactions. The DCFO is 
incorporating lessons learned from this pilot and our draft report 
into the development of a data-mining program to identify high- 
risk transactions for future post-payment audit reviews. 

OIG Analysis: These DCFO actions are responsive to the 
recommendation. However, this recommendation will remain 
open and unresolved until the DCFO provides copies of its 
findings from the pilot program and detailed documentation 
supporting the development of their internal data-mining program. 

Management Comments to Recommendation #3 

The DCFO concurred with this recommendation. The DCFO did 
revise the DHS Purchase Card Manual in August 2010 based on 
preliminary OIG recommendations. The DCFO states that OCFO 
is revising the DHS Purchase Card Manual to address all of OMB 
Circular A- 123, appendix B requirements. The DFCO plans to 
direct the components to update guidance to make the necessary 
revisions into the manuals. 
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OIG Analysis: These DCFO actions are responsive to the 
recommendation. The recommendation is resolved, but will 
remain open until the DCFO provides - 

• The revised Purchase Card Manual incorporating all of 
OMB Circular A- 123, appendix B requirements, which is 
planned to be complete by September 30, 201 1; and 

• Copies of the management memo directing all components 
to update their guidance to incorporate these revisions into 
their manuals, as well as confirmation that components 
have made all the required updates. 
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Appendix A 

Purpose, Scope, and Methodology 

We performed an audit of the use of DHS purchase cards to 
determine whether DHS had internal controls in place to ensure 
that purchase cards are used for their intended purpose. We 
assessed whether guidance was complete and consistent, the DHS 
post payment audit review process was effective, and how system 
use could be improved. 

We performed this audit at DHS headquarters and the component 
headquarters of CBP, CIS, ICE, TSA, and USCG in the 
Washington, DC, area, as well as with field components at the 
following locations: CBP in Miami, FL; CIS in Chicago, IL; ICE 
in Washington, DC; TSA in Chicago, IL; USCG in Boston, MA, 
and Ft. Lauderdale and Miami, FL. We interviewed various 
officials in the DHS Office of the Chief Financial Officer, the 
Financial Policy and Review Branch, and the Purchase Card 
Program Office, as well as components organizational program 
coordinators, approving officials, and cardholders at five 
components. 

We reviewed and compared the various federal acquisition 
regulations pertaining to purchase card use, and compared CBP, 
CIS, ICE, TSA, and USCG components' purchase card guidance 
against the DHS Purchase Card Manual (October 2009). We 
conducted data mining analysis using indicators for high-risk 
transactions and possible fraud to review more than 900,000 
purchase card transactions valued at more than $392 million. 

We conducted fieldwork for this performance audit between June 
2009 and September 2010 pursuant to the Inspector General Act of 
1978, as amended, and according to generally accepted 
government auditing standards. Those standards require that we 
plan and perform the audit to obtain sufficient, appropriate 
evidence to provide a reasonable basis for our findings and 
conclusions based upon our audit objectives. We obtained an 
understanding of the internal controls that were significant within 
the context of our audit objective. We evaluated the design and 
operating effectiveness of these internal controls to determine the 
reliability of information used in performing these significant 
controls. We believe that the evidence obtained provides a 
reasonable basis for our findings and conclusions based upon our 
audit objectives. 
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Appendix B 

Management Comments to the Draft Report 



U.S. Departmenl or Homeland Security 

Washington, DC 20J2S 



Homeland 
Security 




June 13, 2011 



MEMORANDUM FOR; 



Anne L. Richards 

Assistant Inspector General for Audits 



FROM: 




Deputy Ofefcf Financial Officer 



SUBJECT: 



Use of DHS Purchase Cords, OIG Project No. 09-173-AUD-DHS 



Thank you for the opportunity to review and comment on this draft report. The U.S. 
Department of Homeland Security (DHS) appreciates the Office of Inspector General's (OIG) 
work conducting its review of the DHS Purchase Card program. 

I am pleased to note the OIG found the Department generally has an effective internal control 
framework for managing its purchase card program. The report also recognizes many of the 
positive actions the Office of the Chief Financial Officer (OCFO) initiated during the audit, 
some as long as nearly a year ago. to improve the purchase card program internal controls. 

I would, however, like to address a few items in the OIG report that require clarification. 
I am concerned that the OIG's report characterized a transaction as non-compliant if any one of 
the 27 attributes tested for each transaction was not met. In June 2009, the purchase card 
program transitioned to a new Government charge card vendor, and as a result, the Department 
focused on resolving transitional issues and ensuring continued mission support and program 
operations. Once day-to-day operations stabilized, OCFO conducted additional post-payment 
audit work in August 20 10 to determine whether the post-payment audit results had improved 
since the OIG performed its testing. In August 2010, OCFO tested 75 randomly selected 
purchase card transactions using the same 27 attributes in the OlG's audit. Of the total number 
of attributes tested, 92 percent of attributes passed. 

The OIG's portrayal of our post-payment audit methodology does not accurately reflect DHS 
sampling techniques. First, OCFO, not contractors, is responsible for developing the lists of 
purchase card transactions for review. Second, the OIG report over simplifies the Department's 
robust and efficient sampling methodology, which is consistent with the US Government 
Accountability Office (GAO), Financial Audit Manual (FAM), and Section 450. 

The OCFO will continue several activities to further improve our assessment of key controls 
within the purchase card program. For example, we are developing a crosswalk of pending 
Senate Bill S.300, "Government Charge Card Abuse Prevention Act of 2011, " to OMB A-123, 
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Appendix B 

Management Comments to the Draft Report 



Appendix B and the DHS Purchase Card Manual. We are also testing the design and 
effectiveness of key controls at several levels, to include organization program coordinators 
(OPCs) and program managers, and will use our findings to implement new or stronger 
controls. In addition, D11S will review roles and responsibilities of financial management and 
procurement functions to provide stronger oversight to prevent fraud, waste, and abuse. 

Your report contained three recommendations. As discussed below, DI1S concurs with all three 
recommendations. Specifically, you recommended the OCFO: 

Recommendation #1: Review post-payment audit review transactions and verify that all 
reports and their supporting documentation are valid and sufficient. 

Management Response: Concur. DIIS agrees that it is imperative to ensure payments are 
valid and sufficient DHS takes this responsibility seriously and will continue to exercise a 
robust post-payment audit review process. To strengthen our existing process, we have already 
taken the following actions: 

• During Fiscal Year (FY) 2010, the OCFO conducted a quality assurance review of the 
FY 20 10 third quarter post-payment audit sample. We are currently conducting a 
second quality assurance review covering samples from September through December 
2010. 

• In November 2010, the OCFO, in collaboration with the Office of the Chief 
Procurement Officer and Office of the Chief Administrative Officer, established a 
Bankcard Assessment Team (BAT). The BAT is comprised of senior leaders in the 
Department and from the Components, and it meets monthly to improve management 
controls for the Department's charge card programs. 

• In December 2010, using the 27-attribute checklist requirements as a guide, the OCFO 
developed and delivered training to Components to reinforce documentation retention, 
signature approval, and internal controls compliance for (he purchase card transactions. 
The Department is committed to providing additional training to ensure each OPC, 
approving official, and cardholder understands the controls for the program. 

• In March 201 1, the OCFO implemented the use of a Purchase Card Transaction 
Worksheet (PCTW). which is a checklist of the attributes used at the cardholder level. 
Cardholders will complete this worksheet prior to making purchases, which will help to 
ensure compliance with OMB Circular A-123, Appendix B and will further strengthen 
internal controls compliance within the post-payment audit process. 

• In March 201 1 , OCFO added an additional review requirement to the post-payment 
audit process. Each month, before submitting responses, Components conduct a second, 
independent level of review of post-payment audit transactions to verify their validity 
and completeness. 
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Appendix B 

Management Comments to the Draft Report 



• In March 2011, OCl'O revised the post-payment audit standard operating procedure to 
include the 27-attribute checklist, the PCTW, and the second-level review requirements. 
The revision also clarified transaction approval authority. 

Based on the aforementioned corrective actions already taken, OCFO considers this 
recommendation closed. 

Recommendation #2: Develop data-mining techniques to target high-risk transactions for the 
post-payment audit review program. 

Management Response: Concur. We piloted our first review of high-risk and questionable 
transactions. We are incorporating lessons learned from the pilot and the OIG draft report into 
the development of a robust data-mining program to identify high-risk and questionable 
transactions for future post-payment audit reviews. 

Recommendation #3: Update the DHS Purchase Card Manual to address all OMB Circular 
A- 123 purchase card requirements, and direct all Components to similarly update their 
guidance. 

Management Response: Concur. We revised the manual in August 20 10 based on preliminary 
recommendations from the OIG, as acknowledged in the draft report. We are currently revising 
the manual to incorporate rebate and refund management to address all of OMB Circular A- 123, 
Appendix B requirements by September 30, 201 1 and will direct the Components to update 
their guidance to incorporate the revisions into their manuals. 

Once again, thank you for the opportunity to review and comment on this draft report. 
Technical comments have been provided under separate cover. We look forward to working 
with you on future Homeland Security issues. 



3 
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Appendix C 

Workflow - DHS Purchase Card Post Payment Audit Process 



DHS Purchase Card Program Post Payment Audit Review 




Source: DHS OIG generated based on DHS Post Payment Audit Procedures for Purchase Cards (April 2009) 
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Appendix D 

Purchase Card Transactions with Insufficient Documentation 



We examined the department's post payment audit review from July to November 2009. 
We analyzed 75 of 450 reported transactions, totaling $24,649, to determine whether the 
transactions contained information in the following 27-point internal control checklist 
based on OMB requirements. 



1 


Name of Cardholder (CH) 


2 


Approving Official (AO) 


3 


Merchant Name 


4 


Transaction Date 


5 


Transaction Amount 


6 


Item or Service Purchased 


7 


Does the documentation include a Requisition, Purchase Card worksheet, or other 
written requirement? 


8 


Did the AO approve for the purchase? 


9 


Date of Approval by AO (or other official). 


10 


Date Ordered or Date of Purchase. 


11 


Did CH provide evidence the procurement was approved prior to the purchase? 


12 


Did the CH provide evidence that funds were available prior to the purchase? 


13 


If the purchase is potentially inappropriate for government use (for example, 
expensive artwork, iPods), is there documented government need for the purchase? 


14 


Does the amount on the invoice match the amount on the requisition, worksheet, or 
other written requirement? 


15 


What is the invoice date? 


16 


What is the date of shipment? 


17 


Is the invoice date prior to the date of shipping? (Per DHS Manual, no billing for 
the merchandise should occur before shipping, except for training and 
subscriptions.) 


18 


Was sales tax charged? 


19 


If sales tax was charged, was a credit or refund received? 


20 


Is there evidence the CH found unauthorized charges (other than sales tax)? 


21 


If there is evidence the CH found unauthorized charges, did CH dispute the 
transaction(s) within 60 days? 


22 


Did the CH provide evidence the purchase was from the required sources of supply 
or service? 


23 


Did the CH provide evidence an independent third party signed for the merchandise 
or service? 


24 


Was there a separate carrier's invoice for freight greater than $100? 


25 


Did the CH provide evidence the component established accountability over 
property? 


26 


Is there evidence the CH or AO authorized or allowed someone else to use the card? 


27 


Is there evidence the CH split the purchase? If yes, explain in remarks section. 



Table 3 provides details on eight elements of required information missing from 
cardholder supporting documentation from the 75 reports we analyzed. 
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Purchase Card Transactions With Insufficient Documentation 



Table 3. Number of Files With Varying Types of Insufficient Documentation 



Component 


9. Date of Approval * 


10. Date of Purchase 


12. Whether Cardholder 
Verified Funds Availability 
Prior to Purchase 


15. Date of Invoice 


16. Date of Shipment 


22. Whether Cardholder 
Used Required Sources of 
Supply 


23. Whether Receipt Was 

Evidenced by an 
Independent Third Party 


25. Whether Cardholder 
Established Accountability 
Over Property. 


CBP 


5 


2 j 


8 


6 


8 


13 





5 


CIS 


3 





4 


3 


7 


9 


10 


7 


ICE 


6 


2 


4 


5 


8 


10 


4 


1 


TSA 





3 


1 





7 


13 


2 


12 


USCG 


3 


2 


3 


4 


6 


9 


3 


6 



* Note: Individual post payment audit reports were missing multiple pieces of information, so "type of 
insufficient documentation" numbers are greater than 75 (the number of reports analyzed). 

More specifically, for the post payment audit reports examined, transactions' supporting 
documentation did not meet the following OMB requirements: 

• Twenty-four percent did not include purchase card worksheets. 

• Thirty-nine percent did not have approving official approval for the purchase. 

• Thirty-six percent did not have evidence that funds were available prior to the 
purchase. 

• Thirty-one percent did not have purchase amounts on the invoice that matched the 
purchase amounts on the purchase card worksheets. 

• Thirty-three percent did not provide evidence that an independent third party 
signed to accept the merchandise or service. 

• Forty-nine percent did not provide evidence that the component established 
accountability over property. 
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Appendix E 

Purchase Card Categories of Transaction Definitions 

Blocked Merchant Category Codes (MCCs) - MCCs that DHS cardholders are 
blocked from using. Appendix D of the DHS Purchase Card Manual provides a list of 
blocked MCCs. All cards shall be issued with the DHS mandatory blocks in effect. 

Merchant Category Codes (MCC) - A categorization of the type of business the 
merchant is engaged in and the kinds of goods and services provided. 

Recommended Blocked MCCs - Appendix E of the DHS Purchase Card Manual 
provides a list of recommended blocked MCCs. All components shall consider the 
recommended blocked MCCs for implementation as a safeguard against questionable 
transactions. 

Single and Monthly Purchase Limits - Each Head of the Contracting Activity or 
designee should establish a stratified single and monthly purchase limit matrix, and each 
component program coordinator shall assign each cardholder spending limits consistent 
with his/her experience or position requirements to mitigate financial risk to the 
government. Before completing an order, the cardholder must ensure that the purchase is 
within the cardholder's single purchase limit and will not result in the cardholder 
exceeding the monthly limit. 

Splitting Purchases - Breaking up a larger or higher value purchase (or requirement) so 
it "fits" under the single-purchase limit established for the cardholder, such as by placing 
two or more separate orders for a supply/service to avoid exceeding the single-purchase 
or competition threshold. This practice is strictly prohibited. 

Source: DHS Purchase Card Manual (October 2009) 
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Appendix F 

OIG Data Mining Process 

Using the department Agency Program Coordinator's access to the bank 
vendor's purchase card data system, we pulled raw transaction data from 
July 1, 2009, to May 1, 2010, for CBP, CIS, ICE, TSA, and USCG, the five 
largest DHS components using purchase cards. The purchase card data 
consisted of more than 900,000 transactions valued at over $392 million. 

We initially data mined this population based on DHS Purchase Card 
Manual's transaction requirements, including - 

• Mandatory Blocked MCCs 

• Recommended Blocked MCCs 

• Transactions Over the Single-Purchase Limit 

• Transactions Over the Purchase Card Limit 

• Transactions Occurring on Weekends 

We identified the following transactions that occurred across the five 
largest DHS components, as shown in table 4. 



Table 4. First Round of Data Mined High-Risk Transactions 



CATEGORIES OF TRANSACTION 


TOTAL 
HIGH-RISK 
TRANSACTIONS 


TOTAL 
VALUES 


Blocked MCC Codes 


177 


$ 42,352 


Recommended Block MCC Codes 


225,741 


$ 96,367,269 


Over Single Purchase Limit 


1,543 


$ 10,443,347 


Over Purchase Card Limit 


99 


$ 1,465,846 


Weekend Usage 


65,283 


$ 15,846,936 



DHS program managers informed us that they do not hold components to 
the DHS Purchase Card Manual's published Mandatory Blocked and 
Recommended Blocked MCCs lists. However, components are allowed to 
bypass most mandatory blocked MCC requirements using "MCC Group 
Lists" that are approved by the department and assigned to individual 
cardholders. Upon further review, we found that component coordinators 
were assigning multiple "MCC Group Lists" to individual cardholders, 
removing almost all blocks and allowing cardholders to make purchases 
from almost any merchant. 

DHS program managers also explained that they allow component 
coordinators to bypass any blocked MCC codes based on "operational 
necessity." After one bypass, policy requires that component coordinators 
request approval from the department program coordinator when there is a 
need to force another transaction. However, there are no digital controls 
to monitor or stop component coordinators from continually bypassing 
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Appendix F 

OIG Data Mining Process 

blocked MCCs. As a result, DHS had in effect removed any mandatory 
blocks, so cardholders can complete purchase card transactions for any 
goods or services. 

Receiving copies of the "MCC Group Lists," we reran our data mining, 
taking into consideration the new "allowable transactions," with the results 
shown in table 5. 



Table 5. Identified High-Risk Transactions 



CATEGORIES OF TRANSACTION 


TOTAL 
HIGH-RISK 
TRANSACTIONS 


TOTAL 
VALUES 


Always Excluded MCCs 


78 


$30,146 


Blocks By MCC GROUP LISTS 


3,500 


$1,808,673 


Over Single-Purchase Limit 


1,543 


$10,443,347 


Over Purchase Cards Total Limit 


99 


$1,465,846 


Weekend Usage 


65,283 


$15,846,936 


TOTALS 


70,503 


$29,594,948 



We took a sample of these high-risk transactions based on MCCs, goods 
and services acquired, cardholder locations, and the transaction dollar 
amounts. We stratified our sample by the number of components' 
transactions to avoid selecting a disproportional number of reviews for a 
particular component. In the current DHS post payment audit review 
process, the methodology used selects a random sample of 45 transactions 
for each component without regard for the component's number of 
transactions. 

We reviewed 201 transactions valued at more than $184,000 for purchases 
made by 21 cardholders assigned to five components at four different 
locations, as shown in table 6. 



Table 6. Targeted High-Risk Purchase Card Transactions 



Locations 


Number of 


Number of 




Miami 


USCG 


5 


63 


$38,128.61 


Miami 


CBP 


1 


10 


$4,830.49 


DC 


CBP 


4 


35 


$60,550.40 


DC 


ICE 


3 


15 


$31,732.47 


Boston 


USCG 


4 


45 


$35,509.95 


Chicago 


CIS 


2 


16 


$9,738.15 


Chicago 


TSA 


2 


17 


$3,801.92 


TOTALS 




21 


201 


$184,291.99 
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OIG Data Mining Process 

We visited the cardholders' offices, met all 21 cardholders or their 
respective approving officials, and gathered all available supporting 
documentation from their purchase card transaction files. While on site, 
we made every effort to observe all evidence of goods or services 
purchased to determine their location and use. 
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ADDITIONAL INFORMATION AND COPIES 

To obtain additional copies of this report, please call the Office of Inspector General (OIG) at (202) 254-4100, 
fax your request to (202) 254-4305, or visit the OIG web site at www.dhs.gov/oig. 



OIG HOTLINE 

To report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal 
misconduct relative to department programs or operations: 

• Call our Hotline at 1-800-323-8603; 

• Fax the complaint directly to us at (202) 254-4292; 

• Email us at DHSOIGHOTLINE@dhs.gov; or 

• Write to us at: 

DHS Office of Inspector General/MAIL STOP 2600, 
Attention: Office of Investigations - Hotline, 
245 Murray Drive, SW, Building 410, 
Washington, DC 20528. 



The OIG seeks to protect the identity of each writer and caller. 



